The joy of open, agile government security compliance
At DrupalGovCon 2019, CivicActions’ Chief Information Security Officer Fen Labalme shared how to transform the cumbersome process of security compliance by using agile methods and automation. Fen knows that security is especially important for our government clients, and believes that the existing culture of compliance doesn’t have to be a barrier to transforming the way they deliver digital services to the public.
In this session, Fen talks about strategies to automate the process of creating a System Security Plan (SSP), documentation that is required to be granted an Authority to Operate (ATO). By creating a shared library of reusable security controls organized by high-level system components, we’re helping agencies build systems that are both compliant and more secure.
“Compliance is not security — compliance is check boxes. I am building systems that are secure as well as compliant.”— Fen
Highlights
- 1:00 — An overview of Fen’s involvement in IT security — starting in 1977!
- 5:25 — All about security compliance for government: FISMA and ATOs
- 9:50 — Why compliance is not security
- 11:50 — How the government is updating risk management
- 15:00 — Why System Security Plans and ATOs are still too static
- 15:50 — Making security agile
- 16:15 — Automating the creation of a System Security Plan (SSP)
- 19:30 — Tools to share control information
- 20:30 — Creating a reusable library of components for each system
- 20:52 — Making machine readable open control for easy automation
- 25:00 — Modules that can help automate Drupal security compliance
- 26:14 — How to avoid writing another ATO ever again
- 32:50 — Using automation for continuous authorization
- 34:00 — Good practices to promote a culture of security
- 36:45 — CivicActions security team’s continuing efforts to automate security — and share our work with others
Resources
- NIST Special Publication 800–53 (Rev. 4)
- OpenControl
- Drupal Compliance as Code
- Open Security Controls Assessment Language (OSCAL)
- FISMAtic
- GovReady: hyperGRC
- AGL Association, a nonprofit helping government modernize
Connect with Fen
